SRX Services Gateway
SRX Services Gateway

Are VPN tunnels limited by the number of tunnel interfaces.

[ Edited ]
‎09-10-2013 07:41 AM

If using GRE over IPSEC VPN with Cisco router at remote location, with SRX 550/650/1400 as aggregation, do we need one tunnel interface per VPN. suppose each remote site (ciso router) has a backup and primary the total number of tunnel interface support required is

# of tunnel interfaces = # of remote sites x number of links per site

refereing back to the similar scenario in SSG , there were some tactics which can  use a single interface for multiple tunnels. if this is not the case are we limited by the numnber of tunnel interfaces on the platform.




SRX Services Gateway

Re: Are VPN tunnels limited by the number of tunnel interfaces.

‎09-11-2013 05:57 PM

Juniper is flexible. You can use signle interface for multiple tunnels if using route-based or multiple tunnels if using policy based. Take a look at hub and spoke VPN. Here is juniper's best practice:


"We recommend that you use route-based VPN when you want to configure VPN between multiple remote sites. Route-based VPN allows for routing between the spokes between multiple remote sites; it is easier to configure, monitor, and troubleshoot. Use policy-based VPN when your topology has a third-party device and requires a separate SAs for each remote subnet"

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]